Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Combine two queries into a single value

tmurray3
Path Finder
‎09-20-2011 12:50 PM

I am trying to develop a dashboard which will display a single value panel. I created the following query:

index=iam_sitexfer AND ""/monitor/bigip.jsp HTTP/1.0" 200 " earliest=-5m 
|stats count by host, source 
|stats count
|rangemap field=count low=0-10 elevated=11-100 default=severe

The query returns a single range value of low, elevated or default.

I have another query which returns a single range value as well:

index=iam_sitexfer AND " AUTHENTICATED" earliest=-5m 
| stats count by host, source
|stats count
|rangemap field=count low=0-200 elevated=201-500 default=severe

Now I would like to somehow run the two queries together and return the highest range value status from either query.

For example, if query A range value returned low and query B returned severe, I would like to return only the the severe value.

Is there a way to run two queries and then evaluate the range value to return a single value?

Thanks in advance for your help!!

Tags (1)
0 Karma
Reply

tmurray3
Path Finder
‎09-21-2011 05:15 AM

Thanks that worked as planned.

0 Karma
Reply

Ayn
Legend
‎09-21-2011 07:12 AM

Great! Could you please mark my answer as accepted? That way it's easier to keep track of what issues are solved or not on the site.

0 Karma
Reply

Ayn
Legend
‎09-20-2011 01:58 PM

How about using append and then grab just the highest value from the two search results?

index=iam_sitexfer AND ""/monitor/bigip.jsp HTTP/1.0" 200 " earliest=-5m 
| stats count by host, source 
| stats count|rangemap field=count low=0-10 elevated=11-100 default=severe
| append
  [search index=iam_sitexfer AND " AUTHENTICATED" earliest=-5m
   | stats count by host, source
   | stats count
   | rangemap field=count low=0-200 elevated=201-500 default=severe]
| sort -count
| head 1
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-20-2011 06:46 PM

Another option might be to use eventtypes. Define an eventtype for each option, then you can do a single count by eventtype,host,source

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...